Commit graph

16992 commits

Author SHA1 Message Date
Michael Braun
2da3105ac1 Fix use after free with hapd->time_adv on interface restart
When an interface is disabled, e.g. due to radar detected,
hapd->time_adv is freed by hostapd_free_hapd_data(), but later
used by ieee802_11_build_ap_params() calling hostapd_eid_time_adv().

Thus hapd->time_adv needs to be cleared as well.

Fixes: 39b97072b2 ("Add support for Time Advertisement")
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2021-03-06 11:37:26 +02:00
Jouni Malinen
48e2725f5a Add a link to Patchwork for a list of pending patches
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-06 11:26:20 +02:00
Jouni Malinen
fa4cd46c37 tests: Roam command during a scan operation
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-06 11:11:21 +02:00
Matthew Wang
5ac977758d Reject authentication start during explicit roam requests
The roam D-Bus and ROAM control itnerface commands flip the reassociate
bit before calling wpa_supplicant_connect(). wpa_supplicant connect
eventually aborts ongoing scans (if any), which causes scan results to
be reported. Since the reassociate bit is set, this will trigger a
connection attempt based on the aborted scan's scan results and cancel
the initial connetion request. This often causes wpa_supplicant to
reassociate to the same AP it is currently associated to instead of the
explicitly requested roaming target.

Add a roam_in_progress flag to indicate that we're currently attempting
to roam via an explicitly request to a specific BSS so that we don't
initiate another connection attempt based on the possibly received scan
results from a scan that was in progress at the time the roam command
was received.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2021-03-06 10:59:05 +02:00
Kiran Kumar Lokere
800fb69970 QCA vendor attribute to allow 6 GHz connection with all security types
Add a QCA vendor attribute to configure the driver to allow the 6 GHz
connection with all security types. This attribute is used for testing
purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-04 18:05:06 +02:00
Kiran Kumar Lokere
1a60099f26 QCA vendor attribute to ignore SAE H2E requirement mismatch
Add a QCA vendor attribute to ignore SAE H2E requirement mismatch for 6
GHz connection. This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-04 18:04:07 +02:00
Jouni Malinen
ed14b29f38 wpaspy: Do not mark not-existing UNIX domain socket as UDP
os.stat(path) failure is an ambigious indication of the control
interface "path" type (UDP hostname vs. UNIX domain socket path). The
path may be a valid UNIX domain socket path, but that socket could have
been removed just before reaching here. At least the hwsim test case
concurrent_p2pcli managed to hit the "connect exception" print below
from UDP handling even when using a UNIX domain socket.

Work around incorrect determination of control interface socket type by
assuming anything starting with '/' is a UNIX domain socket and not a
hostname.

Fixes: a2c88a8025 ("wpaspy: Add support for UDP connection")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-01 12:51:20 +02:00
Jouni Malinen
8d80aa3fca tests: Fix openssl_systemwide_policy cleanup
Need to close the WpaSupplicant instance on the extra radio before
returning from this test case since that interface is going to be
removed and WpaSupplicant.__del__() can time out on trying to detach the
monitor connection after that.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-01 12:34:05 +02:00
Nikolas Nyby
e9d598d8a8 Update old link to ACS wiki documentation
The old links here were broken.

Signed-off-by: Nikolas Nyby <nikolas@gnu.org>
2021-03-01 11:14:46 +02:00
Jouni Malinen
024fcb22ca tests: hostapd RELOAD with invalid configuration
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-01 11:13:46 +02:00
Jouni Malinen
ff6a305ced tests: OCV override in FT Reassociation Response
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 23:50:50 +02:00
Jouni Malinen
b5e3d92ee4 OCV: Fix OCV-FAILURE event address for FT Reassociation Response frame
sm->bssid is still the BSSID of the previous AP at this point in the FT
protocol, so need to show the target AP's BSSID instead in the failure
message.

Fixes: 8c1f61e820 ("OCV: Report OCI validation failures with OCV-FAILURE messages (STA)")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 23:50:50 +02:00
Jouni Malinen
fdb8c40c7f tests: OCV override in FILS Association Response
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 23:50:50 +02:00
Jouni Malinen
ecc46f2900 tests: Move ERP/FILS capability checks to utils.py
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 23:50:50 +02:00
Jouni Malinen
8884e33eef tests: WMM parameter update failing during beacon template update
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 22:58:24 +02:00
Jouni Malinen
811d26705a tests: DPP config overrides in hostapd
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 22:48:00 +02:00
Jouni Malinen
e5ee60ade0 tests: hostapd and setband
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 22:40:43 +02:00
Jouni Malinen
6abf7c0419 tests: wpa_deny_ptk0_rekey in hostapd GET_CONFIG
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 22:31:58 +02:00
Jouni Malinen
0f51caa513 tests: hostapd GET_CONFIG entries for Multi-AP
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 22:31:58 +02:00
Jouni Malinen
250cb99f4d tests: Additional coverage for hostapd GET_CONFIG key_mgmt values
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 22:31:58 +02:00
Jouni Malinen
8c6723b7f3 tests: Invalid COLOC_INTF_REQ parameters
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 22:31:58 +02:00
Jouni Malinen
73a3ef8c5d tests: WPS status "Timed-out" from hostapd
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 22:31:58 +02:00
Jouni Malinen
35672faae5 tests: WPS PBC overlap indication from hostapd
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 22:31:58 +02:00
Jouni Malinen
e8e2d9ff6b tests: Additional coverage for WPS_AP_PIN error case
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 22:31:58 +02:00
Jouni Malinen
38e700198e tests: Display unexpected stdout and stderr prints in parallel-vm.py
Make it more difficult to miss issues that were previously only printed
out in /tmp/hwsim-test-logs/*-parallel.log. This covers things like
memory leaks and test script failures or forgotten development time
prints to stdout.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 22:31:58 +02:00
Jouni Malinen
40551a15c1 Fix a memory leak in WPS with ap_scan=2
The wpa_ie buffer is now allocated here and needs to be freed before
returning from the function.

Fixes: d2ba0d719e ("Move assoc param setting into a helper function")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 18:46:32 +02:00
Jouni Malinen
900adb3c9f FILS: Simplify code paths
Use a shared code path for freeing the wpa_ie buffer to avoid
unnecessary complexity with a separate return for the non-FILS case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 18:42:06 +02:00
Jouni Malinen
4a5f6e88b2 SAE: Use more explicit IE payload validation steps
This is an attempt of making the code easier to understand for static
analyzers. The helper functions were already verifying that these IEs
are fully within the memory buffer, but that may not have been clear
enough for automated analysis.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 18:39:49 +02:00
Jouni Malinen
57fec19dab Use more consistent iface->conf checks
Commit f1df4fbfc7 ("mesh: Use setup completion callback to complete
mesh join") added a check for iface->conf being NULL into a debug print.
However, it is not clear how that could be NULL here. In any case,
setup_interface() could end up dereferencing iface->conf in the call to
hostapd_validate_bssid_configuration(), so better be consistent with the
checks and not get warnings from static analyzers regardless of whether
this can happen in practice.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:51:16 +02:00
Jouni Malinen
b8211e1e75 PASN: Avoid unreachable code with CONFIG_NO_RADIUS
There is no point in trying to build in rest of this function if in the
middle of it the CONFIG_NO_RADIUS case would unconditionally fail.
Simply make all of this be conditional on that build parameter not being
set to make things easier for static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:37:47 +02:00
Jouni Malinen
9a1136b7f1 FILS: Fix RSN info in FD frame for no-group-addressed
The value from the initial RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED check
ended up getting overridden with the following if. This was supposed to
be a single if statement to avoid that.

Fixes: 9c02a0f5a6 ("FILS: Add generation of FILS Discovery frame template")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:27:42 +02:00
Jouni Malinen
6035969e0e Fix dynamic EAP library building
Build eap_*.so into the wpa_supplicant similarly with the wpa_supplicant
binary and include the shared helper functions from additional files
into the builds. This got broken at some point with the build system
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-27 23:42:21 +02:00
Jouni Malinen
8ea3561c6c tests: Fix sigma_dut_ap_dpp_tcp_enrollee_init to stop hostapd
This test case was missing an explicit CAPI ap_reset_default and that
could result in hostapd being left running at the end of the test case.
This could result in issues with following test cases if they used a new
radio interface from HWSimRadio().

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-27 21:07:54 +02:00
Jouni Malinen
32360ad498 wlantest: Fix broadcast EAPOL-Key frame handling
This resulted in an attempt to dereference a NULL pointer since sta_addr
is not known in this type of a case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-27 20:27:06 +02:00
Jouni Malinen
a826ff2d95 Ignore group-addressed SA Query frames
These frames are used for verifying that a specific SA and protected
link is in functional state between two devices. The IEEE 802.11
standard defines only a case that uses individual MAC address as the
destination. While there is no explicit rule on the receiver to ignore
other cases, it seems safer to make sure group-addressed frames do not
end up resulting in undesired behavior. As such, drop such frames
instead of interpreting them as valid SA Query Request/Response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-27 20:27:00 +02:00
Jimmy Chen
d314213f6c P2P: Pick a 5 GHz channel from more possible channels
For an autonomous P2P group on the 5 GHz band, a channel was picked only
from the operating class 115 which is not available in the EU region
anymore. As a result, an autonomous group creation would always fail in
this generic 5 GHz channel case.

There are more possible available channels for the 5 GHz currently.
Especially in the EU region, the operating class 115 channels are no
longer available, but SRD channels (the operating class 124) are
available. Allow them to be used here if they are marked as allowed for
P2P GO use.

In addition, iterate through all the potential options instead of just
checking the first randomly picked channel. Start this iteration from
random position to maintain some randomness in this process.

Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
2021-02-27 19:19:35 +02:00
Jouni Malinen
468efe79a7 tests: Work around exception handling issue in wpas_config_file
Raising an exception while the wlan5 interface was remove (i.e., between
wpas.interface_remove() and .interface_add() calls) would result in the
cleanup code failing and generating yet another exception while the
first one was being processed. Work around this by re-adding the wlan5
interface back temporarily if the interface is not available for the
cleanup operations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-27 18:10:41 +02:00
Jouni Malinen
205c35ceff nl80211: Allow compilation with both vendor do_acs() handlers
Use a helper function as the do_acs() callback to allow builds to pull
in all the vendor specific operations into a single binary.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-27 17:57:08 +02:00
Xinrui Sun
61a258e784 nl80211: Add ACS support for Broadcom device
BRCM vendor command used to trigger ACS scan. After ACS finished,
DHD driver will send results by event BRCM_VENDOR_EVENT_ACS.

Signed-off-by: Xinrui Sun <xinrui.sun@broadcom.com>
2021-02-27 12:14:09 +02:00
Jouni Malinen
90d3ee383f tests: RADIUS client device specified
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-27 10:51:15 +02:00
Ben Greear
827b43b3ca RADIUS client: Support SO_BINDTODEVICE
Allow the RADIUS client socket to be bound to a specific netdev. This
helps hostapd work better in VRF and other fancy network environments.

Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Andreas Tobler <andreas.tobler at onway.ch>
2021-02-27 10:51:15 +02:00
Sunil Dutt
3a05f89edc Android: Add DRIVER command support on hostapd and hostapd_cli
Add DRIVER command support on hostapd and hostapd_cli on Android
similarly to the way this previously enabled in wpa_supplicant and
wpa_cli.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-26 20:22:41 +02:00
Sreeramya Soratkal
50baf345b4 TDLS: Support TDLS operations in HE mode
Determine if the TDLS peer is HE capable based on HE Capability element
received in the TDLS Setup Response frame. Indicate the peer's HE
capabilities to the driver through sta_add().

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-02-26 20:16:48 +02:00
Jouni Malinen
184c824689 P2P: Add device address to the debug entry on oldest peer removal
This makes it easier to understand debug logs with large number of peer
entries.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-25 20:09:58 +02:00
Jouni Malinen
8460e32309 P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.

Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.

Fixes: 17bef1e97a ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-25 20:09:46 +02:00
Kiran Kumar Lokere
59e9794c7d QCA vendor attribute to configure Punctured Preamble Rx in HE cap
Add a QCA vendor attribute to enable/disable the Punctured Preamble Rx
support in HE PHY capabilities.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:37 +02:00
Kiran Kumar Lokere
875d7be38c QCA vendor attribute to disable data and management frame Tx
Add a QCA vendor attribute to configure the driver to disable data and
management response frame transmission to test the BSS max idle period
feature.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:31 +02:00
Kiran Kumar Lokere
ecb7590f34 QCA vendor attribute to configure RU 242 tone for data Tx
Add a QCA vendor attribute to configure the driver/firmware to use only
RU 242 tone for data frame transmission.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:27 +02:00
Kiran Kumar Lokere
8d23297128 QCA vendor attribute to configure BSS max idle period
Add a QCA vendor attribute to configure the driver with a specific BSS
max idle period value to advertise in (Re)Association Request frames.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:21 +02:00
Jouni Malinen
dc72854fe2 Fix handle_auth_cb() message length check regression
Reordering of code in handle_auth_cb() when adding support for full
station state messaged up frame length checks. The length was originally
tested before looking at the payload of the frame and that is obviously
the correct location for that check. The location after those full state
state changes was after having read six octets of the payload which did
not help at all since there was no addition accesses to the payload
after that check.

Move the payload length check to appropriate place to get this extra
level of protection behaving in the expected manner. Since this is a TX
status callback handler, the frame payload is from a locally generated
Authentication frame and as such, it will be long enough to include
these fields in production use cases. Anyway, better keep this check in
working condition.

Fixes: bb598c3bdd ("AP: Add support for full station state")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:30:09 +02:00